2 cissp ® Official Study Guide Eighth Edition


Determining and Diagramming Potential Attacks



Download 19,3 Mb.
Pdf ko'rish
bet55/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   51   52   53   54   55   56   57   58   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Determining and Diagramming Potential Attacks
Once an understanding has been gained in regard to the threats facing your development 
project or deployed infrastructure, the next step in threat modeling is to determine the 
potential attack concepts that could be realized. This is often accomplished through the 
creation of a diagram of the elements involved in a transaction along with indications of 
data flow and privilege boundaries (Figure 1.8). This image is an example of a data flow 
diagram that shows each major component of a system, the boundaries between security 
zones, and the potential flow or movement of information and data. By crafting such a 
diagram for each environment or system, it is possible to more closely examine each point 
where a compromise could occur.
Such data flow diagrams are useful in gaining a better understanding of the relationships 
of resources and movement of data through a visual representation. This process of dia-
gramming is also known as crafting an architecture diagram. The creation of the diagram 
helps to detail the functions and purpose of each element of a business task, development pro-
cess, or work activity. It is important to include users, processors, applications, data-stores
and all other essential elements needed to perform the specific task or operation. This is a 
high-level overview and not a detailed evaluation of the coding logic. However, for more 
complex systems, multiple diagrams may need to be created at various focus points and at 
varying levels of detail magnification.


36
Chapter 1 

Security Governance Through Principles and Policies
F I G u r e 1. 8
An example of diagramming to reveal threat concerns
Users
User / Web Server
Boundary
Web Server /
Database Boundary
Database
Files
Data
Data
Web Servlet
Authenticate User()
Authenticate
User SQL
Query
Authenticate
User SQL
Query Result
Pages
Web
Pages
Authenticate User
Result
Login Request
Login
Process
College
Library
Database
Login Response
Once a diagram has been crafted, identify all of the technologies involved. This would 
include operating systems, applications (network service and client based), and protocols. 
Be specific as to the version numbers and update/patch level in use.
Next, identify attacks that could be targeted at each element of the diagram. Keep in 
mind that all forms of attacks should be considered, including logical/technical, physi-
cal, and social. For example, be sure to include spoofing, tampering, and social engineer-
ing. This process will quickly lead you into the next phase of threat modeling: reduction 
analysis.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   51   52   53   54   55   56   57   58   ...   881




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish